Cheers its set my mind at ease - just find it werid it not meantioned anywhere. I think it'd be another good addition to isaserver.org! > -----Original Message----- > From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx] > Sent: 31 August 2001 8:47 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Open Ports > > http://www.ISAserver.org > > > > If you can "stealth" ports not advertising that they're "closed for > business" in any TCP/IP host, configure it not sending ICMP Unreachable. > In a Cisco router, in the interface level use the "no ip unreachables" > command. > > In ISA, just disable the packet filter called "ICMP unreachable in" that's > enable by default. Please note that this preconfigured packet filter > disables all type 3 codes, and to stealth ports only code 3 (port > unreachable) is enough. > > ICMP Type=3 Destination Unreachable, Code=3 Port Unreachable (RFC792). > > > -----Original Message----- > From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] > Sent: sexta-feira, 31 de agosto de 2001 10:25 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Open Ports > > > http://www.ISAserver.org > > > According to the TCP/IP spec, every port should respond with one of two > options: > 1: "Here I am, what can I do for you?" > 2: "Sorry, closed for business." > > Paranoid Internet security types have added a third to the mix: > 3: "..." > which Steve Gibson so charmingly refers to as 'stealthed' ports. > > In other words, you should get a response on every port, but shouldn't > be able to open a connection that you haven't allowed. > > Now, also, bear in mind that what you're doing is NAT. In other words, > if you were to throw your firewall wide open, people still wouldn't be > able to access anything that wasn't explicitly running on your ISA box, > but is running behind your ISA box, unless you set up specific > publishing rules. With a forwarding firewall, you'd be thinking > differently. > > -----Original Message----- > From: Chris Bond [mailto:chris@xxxxxxxxxxxx] > Sent: Friday, August 31, 2001 7:27 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Open Ports > > > http://www.ISAserver.org > > > Hi, > > Just ran a port scan on the external interface of ISA and get the > following > results: > > 25 smtp > 53 domain > 88 kerberos > 110 pop3 > 135 epmap > 139 netbios-ssn > 143 imap > 389 ldap > 443 https > 445 microsoft-ds > 464 kpasswd > 636 ldaps > 1723 pptp > > Plus a few others > > Luckly at the moment the cisco router has an ACL on that only allows 25 > through. What is the correct solution to stop it listening for these > requests on the external interface (apart from port 25 ofcourse). > Although > it does seem to say "* BYE Connection refused" and drop the packets, I > just > find it werid that it has the ports are open in the first place? > > Anybody got any ideas? > > Kind Regards, > Chris Bond > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > slebrun@xxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > Hugo@xxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > chris@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')